b"Audit Report\n\n\n\n\nOIG-12-076\nINFORMATION TECHNOLOGY: Treasury\xe2\x80\x99s Security Management\nof TNet Needs Improvement\nSeptember 27, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\n\nResults in Brief ..............................................................................................       1\n\nBackground .................................................................................................          2\n\nFindings and Recommendations .......................................................................                  4\n\n        Weaknesses Existed in Physical Security Protection of TNet at AT&T\xe2\x80\x99s\n        Primary IDC Site ..................................................................................           4\n        Recommendations.................................................................................              6\n\n        Not All Security Controls Required by NIST SP 800-53, Revision 3, Were\n        Tested and Implemented ........................................................................               8\n        Recommendation ..................................................................................             9\n\n        TNet\xe2\x80\x99s Patch Management Process Was Not Fully Implemented .................                                  9\n        Recommendations.................................................................................            12\n\n        The COR and TNet PMO Did Not Adequately Monitor TNet\xe2\x80\x99s Security\n        Performance Measures ..........................................................................             13\n        Recommendations.................................................................................            15\n\n        POA&M Management Could Be Improved ...............................................                          16\n        Recommendations.................................................................................            18\n\n        Certain TNet Security Procedures Were Not Documented As Required .......                                    19\n        Recommendation ..................................................................................           20\n\nAppendices\n\n    Appendix     1:       Objectives, Scope, and Methodology ....................................                   21\n    Appendix     2:       Management Response .......................................................               22\n    Appendix     3:       Major Contributors to This Report .........................................               26\n    Appendix     4:       Report Distribution ..............................................................        27\n\n\n\n\n                          Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement                                Page i\n                          (OIG-12-076)\n\x0cAbbreviations\n\n  ATO           authority to operate\n  CIO           Chief Information Officer\n  COR           Contracting Officer\xe2\x80\x99s Representative\n  DoS           Denial of Service\n  IDC           Internet Data Center\n  ISSM          Information System Security Manager\n  NIST SP       National Institute of Standards and Technology Special Publication\n  OIG           Office of Inspector General\n  OMB           Office of Management and Budget\n  POA&M         Plan of Action and Milestones\n  PMO           Program Management Office\n  SLA           Service Level Agreement\n  TNet          Treasury Network\n\n\n\n\n                Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page ii\n                (OIG-12-076)\n\x0c                                                                                   Audit\nOIG\nThe Department of the Treasury\n                                                                                   Report\nOffice of Inspector General\n\n                      September 27, 2012\n\n\n                      Robyn East\n                      Deputy Assistant Secretary for Information Systems\n                        and Chief Information Officer\n                      Department of the Treasury\n\n                      This report represents the results of our audit of the Department of\n                      the Treasury\xe2\x80\x99s (Treasury) security management of Treasury\n                      Network (TNet).1 The objective of this audit was to determine\n                      whether Treasury ensured that TNet security controls met federal\n                      standards and guidelines.\n\n                      To accomplish our objective, we reviewed and analyzed TNet\xe2\x80\x99s\n                      security-related documentation. We performed observation and\n                      testing at the TNet contractor, AT&T, facilities in Oakton and\n                      Ashburn, Virginia. We also interviewed Treasury and AT&T\n                      personnel responsible for the security management of TNet.\n\n                      We performed our fieldwork in the Washington, DC, metropolitan\n                      area from November 2011 through June 2012. The audit was\n                      conducted in accordance with generally accepted government\n                      auditing standards. Our objectives, scope, and methodology are\n                      described in appendix 1.\n\nResults in Brief\n                      Based on the results of our work, we concluded that Treasury\xe2\x80\x99s\n                      security management of TNet needs improvement. Treasury did not\n                      ensure that security controls provided for TNet fully met federal\n                      standards and guidelines. Specifically, we found that:\n\n\n\n1\n TNet is a wide area network that provides Treasury with e-mail, Internet, and voice traffic\napplications. The TNet task order was awarded under the General Services Administration Networx\nuniversal contract (Contract Number GS00T07NSD0007).\n\n\n                      Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement                Page 1\n                      (OIG-12-076)\n\x0c                     1. Weaknesses existed in physical security protection of TNet at\n                        AT&T\xe2\x80\x99s primary Internet Data Center (IDC) site.\n\n                     2. Not all security controls required by National Institute of\n                        Standards and Technology Special Publication (NIST SP) 800-\n                        53, Revision 3,2 were tested and implemented.\n\n                     3. TNet\xe2\x80\x99s patch management process was not fully implemented.\n\n                     4. The Contracting Officer\xe2\x80\x99s Representative (COR) and TNet\n                        Program Management Office (PMO) did not adequately monitor\n                        TNet\xe2\x80\x99s security performance measures.\n\n                     5. Plan of Action and Milestone (POA&M) management could be\n                        improved.\n\n                     6. Certain TNet security procedures were not documented as\n                        required.\n\n                     We are making 14 recommendations to Treasury\xe2\x80\x99s Chief\n                     Information Officer (CIO) to improve the security management of\n                     TNet.\n\n                     In a written response to a draft copy of this report, the Treasury\n                     CIO agreed with our findings and recommendations and provided\n                     corrective action plans (see appendix 2). Treasury\xe2\x80\x98s planned\n                     corrective actions are responsive to the intent of our\n                     recommendations.\n\nBackground\n                     TNet provides Treasury, its bureaus, and on-site contractors with\n                     telecommunication services. On September 21, 2007, Treasury\n                     procured TNet as a successor to the Treasury Communications\n                     System through the General Service Administration\xe2\x80\x99s Networx\n                     Universal Contract and selected AT&T as the vendor. At that time,\n                     TNet was estimated to cost $270 million. The total contract cost is\n\n2\n NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and\nOrganizations (Aug. 2009).\n\n\n                     Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement              Page 2\n                     (OIG-12-076)\n\x0c                       now estimated at $449 million. Based on AT&T\xe2\x80\x99s proposal,\n                       implementation of TNet was to have started in October 2007.\n                       However, implementation under an interim authority to operate\n                       (ATO)3 did not occur until August 2009. Furthermore, because of a\n                       number of security risks that needed to be remediated, TNet did\n                       not receive a full ATO until March 2011, more than a year and a\n                       half after the interim ATO.\n\n                       The Internal Revenue Service Procurement Office was responsible\n                       for procurement, management, and administration of the TNet task\n                       order. On December 16, 2010, the Treasury Office of the CIO\n                       agreed to perform management oversight of TNet. The TNet PMO,\n                       which is located within the Office of the CIO, performs program\n                       oversight of the TNet contractor\xe2\x80\x99s operations. The TNet PMO also\n                       serves as an interface between Treasury and AT&T to monitor\n                       service level agreements (SLA) and manage invoices. TNet COR\n                       continues to work for the Internal Revenue Service and is\n                       responsible for, among other things, maintaining the complete\n                       contract working files.\n\n                       We performed our audit at the TNet contractor, AT&T, facilities in\n                       Oakton and Ashburn, Virginia. AT&T\xe2\x80\x99s Enterprise Management\n                       Center located in Oakton, Virginia, is the primary facility that\n                       provides all network support, management, and maintenance for\n                       TNet. The backup facility is located in Durham, North Carolina.\n                       AT&T\xe2\x80\x99s IDC located in Ashburn, Virginia, is the primary facility that\n                       provides Treasury internet access through a Trusted Internet\n                       Connection. The backup IDC is located in Mesa, Arizona.\n\n\n\n\n3\n  ATO is the official management decision given by a senior organizational official to authorize operation\nof an information system and to explicitly accept the risk associated with the system\xe2\x80\x99s operation. ATO\ncan only be granted after the authorizing official has assessed the results of the certification and\naccreditation (a comprehensive assessment of the management, operational, and technical security\ncontrols for a system) package and deemed that the risk to agency operations, agency assets, or\nindividuals is acceptable.\n\n\n                       Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement                     Page 3\n                       (OIG-12-076)\n\x0cFindings and Recommendations\n\nFinding 1             Weaknesses Existed in Physical Security Protection of\n                      TNet at AT&T\xe2\x80\x99s Primary IDC Site\n\n                      We found weaknesses in physical security protection for TNet at\n                      AT&T\xe2\x80\x99s primary IDC site. Specifically, we found that some non-\n                      TNet AT&T personnel had physical access to TNet cages at the\n                      IDC without having undergone required background investigations.\n                      We also found that the IDC cages\xe2\x80\x99 power supply units were not\n                      locked. Finally, we found that 16 failed hard disk drives at the IDC\n                      were not properly labeled or tracked prior to destruction. It should\n                      be noted that after we informed Treasury officials of this matter,\n                      the TNet PMO told us that AT&T subsequently provided Treasury\n                      with the failed hard drives for destruction.\n\n                      We found that AT&T technical support personnel working at the\n                      IDC had physical access to TNet\xe2\x80\x99s cages without having undergone\n                      a Treasury background investigation. The AT&T TNet IDC Architect\n                      informed us that AT&T granted physical access to these individuals\n                      for emergency purposes and that all AT&T technical support\n                      personnel undergo a background check as a condition of\n                      employment. However, AT&T was unable to provide us with any\n                      evidence that they performed a background investigation for the\n                      AT&T technical support personnel we identified. The TNet PMO\n                      stated that the IDC is not Treasury owned or controlled and that\n                      the persons lacking demonstrable security clearances were not\n                      involved in contracts that involve the design, operation, repair, or\n                      maintenance of information systems.\n\n                      The TNet contract requires that AT&T adhere to all Treasury\n                      policies and procedures. Therefore, Treasury Directive Policy (TD P)\n                      15-714 would apply to AT&T in this situation. This policy requires\n                      that all Federal employees, contractors, subcontractors, experts,\n                      consultants, and interns undergo a background investigation and\n                      favorable adjudication to determine their suitability and fitness for\n                      Treasury employment.\n\n4\n TD P 15-71, \xe2\x80\x9cTreasury Security Manual, Chapter II section 2, Investigative Requirements for Federal\nEmployees, Contractors, Subcontractors, Experts, Consultants and Paid/Unpaid Interns\xe2\x80\x9d (July 2011).\n\n\n                      Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement                  Page 4\n                      (OIG-12-076)\n\x0c                      If non-TNet AT&T technical support personnel had physical access\n                      to TNet IDC cages without undergoing background investigation,\n                      there was an increased risk that individuals with unvetted\n                      backgrounds may have had physical access to Treasury assets\n                      without Treasury\xe2\x80\x99s consent. Accordingly, all personnel who need to\n                      have physical access to TNet's primary IDC cages, need to undergo\n                      background investigations.\n\n                      We found that the IDC cages\xe2\x80\x99 power supply units were not locked\n                      even though AT&T TNet policy requires that all supporting\n                      infrastructure such as power, environmental conditioning, and\n                      security cages be protected.5 According to the IDC Network\n                      Architect, the power supply units were left unlocked due to an\n                      oversight by AT&T technical support personnel. If power supply\n                      units for the IDC cages are not locked, the power could have been\n                      turned off by unauthorized individuals, which could have affected\n                      availability of service.\n\n                      As mentioned above, we found a number of failed hard disk drives\n                      at the IDC that were not properly labeled or tracked prior to\n                      destruction. AT&T TNet policy requires that hard disk drives that\n                      cannot be cleared [wiped of content] because of a failure, be\n                      placed in a box marked \xe2\x80\x9cSENSITIVE BUT UNCLASSIFIED.\xe2\x80\x9d Failed\n                      hard disk drives are to be released from the TNet environment only\n                      after they have been physically destroyed or degaussed using\n                      approved methods.6\n\n                      The IDC Network Architect could not explain why the failed hard\n                      disk drives were not properly labeled or why they were not\n                      inventoried. Without an inventory of failed hard disk drives prior to\n                      destruction, missing or stolen drives could go undetected, which\n                      could allow for the inappropriate release of sensitive Treasury\n                      information. We have since been told that these disks were\n                      returned to Treasury for destruction.\n\n\n\n5\n AT&T TNet policy, \xe2\x80\x9cPhysical and Environmental Policy and Procedures,\xe2\x80\x9d Version 2.0 (Apr. 2011).\n6\n AT&T TNet policy, \xe2\x80\x9cTreasury Network Media Protection Policy and Procedures,\xe2\x80\x9d Version 2.0 (Mar.\n2011).\n\n\n                      Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement               Page 5\n                      (OIG-12-076)\n\x0cRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n1. Ensure that a background investigation is performed for all\n   AT&T personnel who need physical access to TNet's primary\n   IDC cages.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will send a\ncontracts letter requiring AT&T to formally revoke physical access\nof any AT&T employee that does not have the requisite Treasury\nbackground investigation. It is anticipated that this planned\ncorrective action will be completed by December 31, 2012.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n2. Remind AT&T to lock power supply units for TNet\xe2\x80\x99s primary\n   IDC cages in accordance with AT&T TNet policy for physical\n   and environmental controls.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will send a\ncontracts letter to AT&T, where the language in AT&T\xe2\x80\x99s Physical\nand Environmental Controls Policies and Procedures regarding\nsecure access to all power supply units will be reiterated. It is\nanticipated that this planned corrective action will be completed by\nDecember 31, 2012.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement       Page 6\n(OIG-12-076)\n\x0c3. Amend TNet policy and procedures to require that failed hard\n   disk drives be inventoried and destroyed promptly using a\n   Treasury approved method.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will direct\nAT&T to amend or modify its Media Protection Policy and\nProcedures so that failed hard disk drives are inventoried and\ndestroyed using an approved method. It is anticipated that this\nplanned corrective action will be completed by December 31,\n2012.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n4. Ensure that failed hard disk drives at TNet\xe2\x80\x99s primary IDC are\n   properly labeled and inventoried for tracking purposes and\n   destroyed in a timely basis using a Treasury approved method.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will require\nAT&T to provide quarterly hard drive destruction logs to ensure\nthey are being labeled, inventoried, and destroyed in accordance\nwith established policy. It is anticipated that this planned corrective\naction will be completed by June 1, 2013.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement         Page 7\n(OIG-12-076)\n\x0cFinding 2            Not All Security Controls Required by NIST SP 800-53,\n                     Revision 3, Were Tested and Implemented\n\n                     We found that not all of the security controls required by NIST SP\n                     800-53, Revision 3, dated August 2009, were tested and\n                     implemented for TNet. These security controls are the\n                     management, operational, and technical safeguards or\n                     countermeasures intended to protect the confidentiality, integrity,\n                     and availability of the system and its information.\n\n                     The Treasury, AT&T TNet contract requires that AT&T comply\n                     with all National Institute of Standards and Technology (NIST)\n                     security policies as well as Treasury\xe2\x80\x99s information technology\n                     security policies, as these documents are modified and become\n                     available. Furthermore, Federal agencies are required to comply\n                     with NIST SPs within 1 year of the publication date unless\n                     otherwise directed by the Office of Management and Budget\n                     (OMB).7 The 1 year compliance date applies to all new and/or\n                     revised NIST SPs.\n\n                     According to the TNet PMO Director, in January 2011, a\n                     management decision was made to pursue an ATO for TNet which\n                     was to be based on compliance with security controls in NIST SP\n                     800-53, Revision 2, dated December 2007 (under which significant\n                     work had already been performed), with the understanding that the\n                     security controls in NIST SP 800-53, Revision 3, dated August\n                     2009, would be implemented sometime afterward. He also told us\n                     that a POA&M item was added to track compliance with NIST SP\n                     800-53, Revision 3. We reviewed the 2012 POA&M, dated June 7,\n                     2012, and found that an entry was made directing AT&T to\n                     comply with the most up-to-date NIST SP 800-53 guidance and\n                     prepare a revised TNet System Security Plan (SSP). We verified\n                     that the SSP was updated to incorporate the latest version of NIST\n                     SP 800-53. The TNet PMO later informed us that only one-third of\n                     the controls were tested.\n\n\n\n7\n OMB Memorandum M-11-33, \xe2\x80\x9cFY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d (Sept. 2011).\n\n\n                     Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement              Page 8\n                     (OIG-12-076)\n\x0c            If all required security controls were not tested, TNet PMO could\n            not ensure that the controls were in place and operating as\n            intended. Therefore, safeguards or countermeasures intended to\n            protect the confidentiality, integrity, and availability of TNet and its\n            information could be ineffective.\n\n            Recommendation\n\n            5. We recommend that the Treasury CIO ensure that AT&T\n               continue to test all NIST SP 800-53, Revision 3, security\n               controls as soon as possible.\n\n            Management Response\n\n            Treasury concurred with this recommendation. Treasury will\n            continue to test NIST SP 800-53 controls in accordance with\n            Treasury policy. It is anticipated that this planned corrective action\n            will be completed by June 1, 2013.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s planned corrective action is responsive to our\n            recommendation.\n\n\nFinding 3   TNet\xe2\x80\x99s Patch Management Process Was Not Fully\n            Implemented\n            We found that TNet\xe2\x80\x99s patch management process was not fully\n            implemented. Specifically, we found that the TNet flaw remediation\n            process was incomplete. We also found that some of the quarterly\n            vulnerability scans were not performed for all locations.\n\n            For the purposes of assessing the flaw remediation control, AT&T\n            implemented 41 patches during calendar year 2011. According to\n            the AT&T TNet Information System Security Manager (ISSM),\n            TNet\xe2\x80\x99s flaw remediation process for fixing vulnerabilities consisted\n            of the following five steps: (1) identification, (2) analysis, (3)\n            technical review board, (4) testing, and (5) deployment. AT&T\n            could not provide evidence that the five-step flaw remediation\n            process was followed for the 41 patches. Furthermore, for calendar\n\n            Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement           Page 9\n            (OIG-12-076)\n\x0cyear 2011, AT&T provided us evidence of some quarterly scanning\nfor critical devices at its IDC in Ashburn, Virginia, and in Mesa,\nArizona. Based on our review of the scan results provided from the\nAshburn and Mesa locations, we found that a vulnerability\ndiscovered in the quarter one scan was reported again in the\nquarter two scan, indicating that the vulnerability had not been\nremediated in a timely manner. Additionally, we found that the\nquarter four scan for the Ashburn location was not performed.\n\nNIST SP 800-53, Revisions 3, requires the following flaw\nremediation control procedures:\n\n\xef\x82\xb7   The organization identifies, reports, and corrects information\n    system flaws.\n\xef\x82\xb7   The organization tests software updates related to flaw\n    remediation for effectiveness before installation.\n\xef\x82\xb7   The organization incorporates flaw remediation into the\n    organizational configuration management process.\n\nNIST SP 800-53, Revision 3, also requires the following\nvulnerability scanning control procedures:\n\n\xef\x82\xb7   The organization scans for vulnerabilities in the information\n    system and hosted applications in accordance with the\n    organization-defined frequency and/or the organization-defined\n    process for random scans.\n\xef\x82\xb7   The organization defines the response times for remediating\n    legitimate vulnerabilities in accordance with an organizational\n    assessment of risk.\n\xef\x82\xb7   The organization remediates legitimate vulnerabilities in\n    accordance with organization-defined response times.\n\nNIST 800-53, Revision 3, provided up-to-date requirements for\nthese controls; however, the majority of the controls were already\nrequired in Revision 2. AT&T TNet policy, \xe2\x80\x9cPatch and Vulnerability\nManagement Policy and Procedures,\xe2\x80\x9d Version 3.1, dated March\n2011, requires that TNet Subject Matter Experts who specialize in\nand support a particular technology currently deployed within TNet\ndo the following:\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement       Page 10\n(OIG-12-076)\n\x0c\xef\x82\xb7   Monitor vendor sites for their assigned technology for security\n    patches and updates.\n\xef\x82\xb7   Determine the impact of patches on the TNet environment and\n    advise the TNet Technical Review Board.\n\xef\x82\xb7   Test security patches prior to deployment.\n\nAT&T TNet policy required that AT&T perform vulnerability scans\non information systems and applications on a quarterly basis or\nwhen critical or high vulnerabilities are identified and reported.\nCritical vulnerabilities are required to be remediated within 72 hours\nof patch availability. However, AT&T TNet policy allowed for\nexceptions during system maintenance periods.\n\nAccording to the AT&T TNet Information System Security Manager\n(ISSM), TNet\xe2\x80\x99s patch management process was not fully\nimplemented during calendar year 2011. He said there was also a\nPOA&M item related to this security weakness. He told us that\nTreasury officials had been made aware of this deficiency and that\nAT&T is working towards resolving the issue. Based on our review\nof the 2011 TNet POA&M, we confirmed that the item was\nentered into the POA&M.\n\nAT&T was unable to explain why it did not follow the remediation\nprocess for all of the 41 patches it pushed through. Furthermore,\nAT&T was unable to tell us the why the vulnerability discovered in\nthe quarter one scan was not addressed prior to the quarter two\nscan for the Ashburn and Mesa locations. Lastly, AT&T told us\nthat the quarter four scan at the Ashburn location was not run due\nto technical issues.\n\nBy not fully implementing a comprehensive patch management\nprocess, TNet PMO cannot effectively manage the risks resulting\nfrom security vulnerabilities to TNet. If flaw remediation processes\nare not followed for all patches applied, patches may be deployed\nwithout approval and testing, which could render the system\nunavailable or inoperable. Furthermore, if missing patches are not\nidentified and applied in a timely manner, the vulnerabilities\nresulting from these missing patches could put TNet at risk of\nexploitation, especially when TNet is facing the Internet. Lastly,\nTNet PMO is not fully compliant with NIST SP 800-53 and TNet\npolicy for patch and vulnerability management.\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement       Page 11\n(OIG-12-076)\n\x0cRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n6. Ensure that AT&T, in accordance with TNet PMO guidance,\n   implements and documents all steps in the flaw remediation\n   process for TNet.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will require\nAT&T to provide Treasury with a flaw remediation process that has\nidentifiable inputs, repeatable processes, tangible outputs, and\nmechanisms for communication. Treasury further stated that the\nprocess will be compliant with government and contractual\nrequirements. It is anticipated that this planned corrective action\nwill be completed by March 1, 2013.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n7. Ensure that quarterly vulnerability scans are performed and any\n   discovered vulnerabilities are remediated within 72 hours of\n   patch availability.\n\nManagement Response\nTreasury concurred with this recommendation. Treasury will require\nAT&T to schedule quarterly vulnerability scans and provide\nevidence of completion, to include remediation of discovered\nvulnerabilities within 72 hours of patch availability. It is anticipated\nthat this planned corrective action will be completed by December\n31, 2012.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement         Page 12\n(OIG-12-076)\n\x0cFinding 4   The COR and TNet PMO Did Not Adequately Monitor\n            TNet\xe2\x80\x99s Security Performance Measures\n            We found that the COR and TNet PMO did not adequately monitor\n            AT&T\xe2\x80\x99s performance against the security performance measures\n            provided for in its contract with Treasury. Specifically, the COR\n            and TNet PMO did not ensure that all security-related performance\n            measures were met during calendar years 2010 and 2011. The\n            contract provided for the following security performance measures:\n\n            \xef\x82\xb7   The contractor is required to ensure that 75 percent of all TNet\n                security controls comply satisfactorily with stated objectives as\n                required by the NIST SPs and Treasury, prior to the biannual\n                compliance verification.\n            \xef\x82\xb7   The contractor is required to implement within 36 hours United\n                States Computer Emergency Readiness Team recommended\n                patches or implement compensating controls to protect systems\n                from the vulnerability the patch is intended to address until the\n                patch can be tested to be effective and does not cause\n                instability.\n            \xef\x82\xb7   The contractor is required to detect 100 percent of simulated\n                intrusion attacks.\n            \xef\x82\xb7   The contractor is required to detect 100 percent of simulated\n                denial of service (DoS) attacks.\n\n            However, we found that:\n\n            \xef\x82\xb7   AT&T did not perform the security control compliance testing in\n                2010. It should be noted that AT&T did perform security\n                control compliance testing in 2011, with a 90 percent\n                compliance rate.\n            \xef\x82\xb7   AT&T did not implement security patches within 36 hours of\n                availability. Although we asked multiple times, neither the TNet\n                PMO nor AT&T could provide a report indicating how long it\n                took to implement patches.\n            \xef\x82\xb7   AT&T did not test TNet\xe2\x80\x99s security intrusion detection and DoS\n                detection capability in 2011. It should be noted that AT&T did\n                test for this in 2010 with no deficiencies identified.\n\n            While these performance measures were provided for in the\n            contract, AT&T did not always meet them, and the COR and TNet\n\n            Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement       Page 13\n            (OIG-12-076)\n\x0cPMO did not independently monitor or evaluate AT&T\xe2\x80\x99s\nperformance against them. As a result, the COR and TNet PMO did\nnot notify the contracting officer about AT&T\xe2\x80\x99s failure to meet\nsome of the required security performance measures.\n\nEven if the contracting officer had been notified, we found that the\nTNet contract contained no penalties for not meeting the security\nperformance measures discussed above. Treasury had an\nopportunity to incorporate penalties for not meeting these\nperformance measures when the contract was amended in June\n2011.\n\nThe TNet PMO told us that it only began to focus more on the\nsecurity performance measures recently, seeing them as a low\npriority in the past. The TNet PMO told us that the security SLA,\nwhich are where the security performance measures discussed\nabove are spelled out in the contract, were established as annual\nbenchmarks or targets. According to the TNet PMO, only monthly\nSLAs had disincentives or penalties associated with them. Since\nthe security SLAs had no associated disincentives, they were not\npriorities for the vendor. The TNet PMO also told us that the focus\nwas on network stabilization, change management, and service\ndelivery.\n\nIf security performance measures are not met, TNet may be\nvulnerable to attacks and compromises, including denial of service\nand other network intrusions. Furthermore, without effective\nmonitoring and evaluation of the security related performance\nmeasures, the COR and TNet PMO may not be aware of AT&T\xe2\x80\x99s\nfailure to comply with the required security performance measures\nin order to alert the CO. As a result, the CO may not be able to\nmake informed decisions in administering the contract in the best\ninterest to the government. Without penalties in the contract for\nthe security related performance measures, Treasury may have no\nlegal recourse to assess damages or apply disincentives against\nAT&T for the failure to meet the security performance measures.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 14\n(OIG-12-076)\n\x0cRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n8.   Ensure that security control compliance testing is performed in\n     accordance with the contract.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will\ncontinue to track security control compliance testing in accordance\nwith contractual requirements. It is anticipated that this planned\ncorrective action will be completed by June 1, 2013.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n9.   Ensure that security patches are implemented within 36 hours\n     of availability in accordance with the contract.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will require\nAT&T to provide Treasury with a contractually compliant flaw\nremediation process that has identifiable inputs, repeatable\nprocesses, tangible outputs, and mechanisms for communication. It\nis anticipated that this planned corrective action will be completed\nby March 1, 2013.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n10. Ensure that testing for intrusion detection and DoS detection\n    is performed in accordance with the contract.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 15\n(OIG-12-076)\n\x0c            Management Response\n\n            Treasury concurred with this recommendation. Treasury will retain\n            a new Trusted Internet Connection provider that will provide\n            intrusion detection and denial of service detection. It is anticipated\n            that this planned corrective action will be completed by March 1,\n            2013.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s planned corrective action is responsive to our\n            recommendation.\n\n            11. Ensure that TNet PMO, in coordination with the contracting\n                officer and COR, review all security performance measures in\n                the contract, negotiate with AT&T the terms for when\n                penalties are to be applied in the event a measure is not met,\n                and amend the contract accordingly.\n\n            Management Response\n\n            Treasury concurred with this recommendation. Treasury will\n            evaluate the utility, adequacy, and enforceability of existing SLAs\n            and collaborate with AT&T to define security performance\n            measures and negotiate possible penalties. It is anticipated that this\n            planned corrective action will be completed by June 1, 2013.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s planned corrective action is responsive to our\n            recommendation.\n\n\nFinding 5   POA&M Management Could Be Improved\n            We found that certain security weaknesses were not always\n            remediated on schedule, and that the POA&M was not always\n            documented in accordance with OMB and NIST guidance. Based on\n            our review of the 2011 TNet POA&M, we found that the TNet\n            PMO did not ensure that 4 of 53 security weaknesses scheduled to\n            be completed in 2010 were remediated on schedule. It took the\n\n\n            Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement        Page 16\n            (OIG-12-076)\n\x0c                       TNet PMO 18 to 26 months longer than the scheduled completion\n                       date to resolve these four security weaknesses. We also found that\n                       justifications for POA&M item delays, waivers, and cancellations\n                       were not always documented, and that the TNet POA&M sections,\n                       such as milestone changes and source of weaknesses, were not\n                       completed in accordance with OMB requirements.\n\n                       OMB Memorandum 02-018 requires federal agencies to implement\n                       a POA&M process to identify tasks that are necessary to remediate\n                       identified security weaknesses. The POA&M is to include details of\n                       the weaknesses, point of contact, resources required, scheduled\n                       completion date, milestones with completion dates, changes to\n                       milestones, source of the identification of the weakness (i.e., audit\n                       report or other review), and status.\n\n                       NIST SP 800-659 recommends, among other things, that changes\n                       to the milestones section of the POA&M, document any changes to\n                       timelines. It also recommends the POA&M\xe2\x80\x99s source of security\n                       weakness section, document where and how the weakness was\n                       identified (e.g., risk assessment). Lastly, the POA&M\xe2\x80\x99s comments\n                       section provides space for additional detail or clarification (e.g.,\n                       causes for delays or potential factor that may impact weakness\n                       mitigation).\n\n                       According to the TNet PMO Director, who was not with the TNet\n                       PMO at the time when the security weaknesses were recorded in\n                       the 2011 POA&M, the reason why the security weaknesses were\n                       not remediated in a more timely manner was due to higher priority\n                       efforts given to the transition of the wide-area-network from\n                       Treasury Communication System to TNet. With regard to not\n                       having justifications for POA&M item delays, waivers, and\n                       cancellations, the TNet PMO Director was unable to explain why\n                       these decisions were not documented in the POA&M.\n\n                       If security weaknesses are not remediated in a timely manner, they\n                       could compromise the confidentiality, integrity, or availability of\n\n8\n  OMB Memorandum 02-01, Guidance for Preparing and Submitting Security Plans of Action and\nMilestones (Oct. 17, 2001).\n9\n  NIST SP 800-65, Version 1.0, Integrating IT Security into the Capital Planning and Investment Control\nProcess (Jan. 2005).\n\n\n                       Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement                 Page 17\n                       (OIG-12-076)\n\x0cTNet\xe2\x80\x99s systems. Also, by not completing the POA&M\xe2\x80\x99s sections for\nchanges to milestones, source of weakness, and comments,\nTreasury officials may not be able to effectively track the progress\nof corrective actions.\n\nRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n12. Ensure that security weaknesses are remediated on schedule\n    and where there are delays, waivers, or cancellations, they be\n    documented in the POA&M.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will work\ntoward remediating security weaknesses on schedule and ensure\ndelays, waivers, cancellations, milestone changes, and the sources\nof security weaknesses are entered into Trusted Agent FISMA. It is\nanticipated that this planned corrective action will be completed by\nOctober 15, 2012.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n13. Ensure that the POA&M sections for milestone changes,\n    source of security weakness, and comments are complete.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will ensure\ndelays, waivers, cancellations, milestone changes, and the sources\nof security weaknesses are entered into Trusted Agent FISMA. It is\nanticipated that this planned corrective action will be completed by\nOctober 15, 2012.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 18\n(OIG-12-076)\n\x0c            OIG Comment\n\n            Management\xe2\x80\x99s planned corrective action is responsive to our\n            recommendation.\n\n\nFinding 6   Certain TNet Security Procedures Were Not Documented\n            As Required\n            We found that certain other TNet procedures need to be more fully\n            documented. For example, we found that AT&T\xe2\x80\x99s procedures for\n            configuration management, security planning, and system and\n            services acquisition were incomplete or missing information.\n\n            NIST SP 800-53, Revision 3, requires that:\n\n            \xef\x82\xb7   The organization configuration management procedures\n                facilitate implementation of the configuration policy and\n                associated configuration management controls.\n            \xef\x82\xb7   The organization security planning procedures facilitate\n                implementation of the security planning policy and associated\n                security planning controls.\n            \xef\x82\xb7   The organization system services and acquisition procedures\n                facilitate implementation of the system and services acquisition\n                policy and associated system services and acquisition controls.\n\n            NIST 800-53, Revision 3, contains up-to-date requirements for\n            these procedures; however, these procedures were already required\n            in Revision 2.\n\n            According to the AT&T TNet ISSM, all policy statements will not\n            have corresponding procedures. He said that there are times when\n            the policy statement is considered to be sufficiently explanatory.\n            When this is the case, AT&T does not document step-by-step\n            procedures. While we acknowledge the AT&T TNet ISSM\xe2\x80\x99s\n            rationale, we believe that configuration management, security\n            planning, and system and services acquisition need documented\n            procedures in order to facilitate consistent conformance to\n            technical requirements and practices. Also, as a result of the\n            documentation issues noted above, AT&T TNet procedures are in\n            non-compliance with NIST SP 800-53, Revision 3, requirements.\n\n            Treasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 19\n            (OIG-12-076)\n\x0cProcedures that contain incomplete or missing information increase\nthe risk of inconsistent practices among AT&T personnel.\n\nRecommendation\n\n14. We recommend that the Treasury CIO ensure that AT&T\xe2\x80\x99s\n    procedures for configuration management, security planning,\n    and system and services acquisition are fully documented.\n\nManagement Response\n\nTreasury concurred with this recommendation. Treasury will require\nAT&T to map each requirement to a corresponding procedure in\nthe policy documents referenced. It is anticipated that this planned\ncorrective action will be completed by March 1, 2013.\n\nOIG Comment\n\nManagement\xe2\x80\x99s planned corrective action is responsive to our\nrecommendation.\n\n                                ******\n\nI would like to extend my appreciation to the Office of the CIO and\nthe TNet PMO for the cooperation and courtesies extended to my\nstaff during the audit. If you have any questions, please contact\nme at (202) 927-5171 or Farbod Fakhrai, Information Technology\nAudit Manager, at (202) 927-5841. Major contributors to this\nreport are listed in appendix 3.\n\n\n\n/s/\n\n\nTram Jacquelyn Dang\nDirector of Information Technology Audits\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 20\n(OIG-12-076)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThe report represents the results of our audit of the Department of\nthe Treasury\xe2\x80\x99s security management of Treasury Network (TNet).\nThe objective of this audit was to determine whether Treasury\nensured that TNet security controls met federal standards and\nguidelines. This audit was included in the Office of Inspector\nGeneral Annual Plan for 2012.\n\nTo accomplish our objective, we reviewed and analyzed TNet\xe2\x80\x99s\nsecurity related documentation including policies and procedures.\nWe performed observation and testing at the TNet contractor,\nAT&T, facilities in Oakton and Ashburn, Virginia. We also\ninterviewed Treasury and AT&T personnel responsible for the\nsecurity management of TNet. We utilized National Institute of\nStandards and Technology guidelines to assess TNet\xe2\x80\x99s\nmanagement, operational, and technical controls. We performed\nour fieldwork in the Washington, DC, metropolitan area from\nNovember 2011 through June 2012. The results of this audit may\nbe used to support our work undertaken in accordance with the\nrequirements of the Federal Information Security Management Act.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 21\n(OIG-12-076)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement   Page 22\n(OIG-12-076)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement   Page 23\n(OIG-12-076)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement   Page 24\n(OIG-12-076)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement   Page 25\n(OIG-12-076)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\n\nOffice of Information Technology (IT) Audits\n\n  Tram J. Dang, Audit Director\n  Farbod Fakhrai, IT Audit Manager\n  Abdirahman Salah, Former IT Audit Manager\n  Robert Kohn, Auditor-in-Charge\n  Kevin Mfume, IT Specialist\n  Don\xe2\x80\x99te Kelley, IT Specialist\n  Mitul Patel, IT Specialist\n  Jason Beckwith, IT Specialist\n  Jason Madden, Referencer\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement   Page 26\n(OIG-12-076)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n   Office of the Chief Information Officer\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n      Group\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nTreasury\xe2\x80\x99s Security Management of TNet Needs Improvement      Page 27\n(OIG-12-076)\n\x0c"